This script generates a payload for use with Responder.
- Generate a payload with
main.py
- Copy and paste the one-liner output into the
WPADScript
field ofResponder.conf
.
test@test:~$ python3 main.py --help
usage: main.py [-h] [-o OUT] cmd
### Keybase proof | |
I hereby claim: | |
* I am jthuraisamy on github. | |
* I am jthuraisamy (https://keybase.io/jthuraisamy) on keybase. | |
* I have a public key whose fingerprint is 3CC0 1B4C 2920 F44E 8973 2DFD 764F 2E48 2337 A611 | |
To claim this, I am signing this object: |
#!/usr/bin/env python3 | |
# -*- coding: utf-8 -*- | |
# References: | |
# 1. https://pentestlab.blog/2017/12/13/smb-share-scf-file-attacks/ | |
# 2. https://room362.com/post/2016/smb-http-auth-capture-via-scf/ | |
from argparse import ArgumentParser | |
from configparser import RawConfigParser |
This script generates a payload for use with Responder.
main.py
WPADScript
field of Responder.conf
.test@test:~$ python3 main.py --help
usage: main.py [-h] [-o OUT] cmd
.code | |
NtCreateFile PROC | |
mov rax, gs:[60h] | |
NtCreateFile_Check_X_X_XXXX: ; Check major version. | |
cmp dword ptr [rax+118h], 5 | |
je NtCreateFile_SystemCall_5_X_XXXX | |
cmp dword ptr [rax+118h], 6 | |
je NtCreateFile_Check_6_X_XXXX | |
cmp dword ptr [rax+118h], 10 |
.code | |
NtAcceptConnectPort PROC | |
mov rax, gs:[60h] ; Load PEB into RAX. | |
NtAcceptConnectPort_Check_X_X_XXXX: ; Check major version. | |
cmp dword ptr [rax+118h], 5 | |
je NtAcceptConnectPort_SystemCall_5_X_XXXX | |
cmp dword ptr [rax+118h], 6 | |
je NtAcceptConnectPort_Check_6_X_XXXX | |
cmp dword ptr [rax+118h], 10 |
GhostLoader Steps :)
1. Create C:\Tools
2. Copy Some .NET, any .NET binary to C:\Tools
3. In this example, we use FileHistory.exe, but any .NET app will do.
4. Ensure FileHistory.exe.config is in the same path
5. Execute C:\Tools\FileHistory.exe
#Recover function names from logger function calls. | |
#@author @Jackson_T | |
#@category _NEW_ | |
#@keybinding | |
#@menupath | |
#@toolbar | |
import re | |
from ghidra.program.model.symbol import SourceType |
import os.path | |
import pefile | |
print('#pragma once') | |
target_dll = r'target.dll' | |
pe = pefile.PE(target_dll) | |
for export in pe.DIRECTORY_ENTRY_EXPORT.symbols: | |
if export.name: | |
name = export.name.decode() |
IDA Plugins | Preferred | Neutral | Unreviewed |
---|
TL;DR: Using symbolic execution to recover driver IOCTL codes that are computed at runtime.
The goal here is to find valid IOCTL codes for the HackSysExtremeVulnerableDriver by analyzing the binary. The control flow varies between the binary and source due to compiler optimizations. This results in a situation where only a few IOCTL codes in the assembly are represented as a constant with the remaining being computed at runtime.
The code in hevd_ioctl.py is a approximation of the control flow of the compiled IrpDeviceIoCtlHandler
function. The effects of the compiler optimization are more pronounced when comparing this code to the original C function. To comply with requirements of the PyExZ3 module, the target function is named after the script's filename, and the `ex